Tuesday, 18 August 2009

Two unseen computer users in Russia along with a colleague in Miami decide to set up a sting. They are after the millions of credit card numbers stored across retail servers. The US person does reconnaissance at the stores to see what type of protection they have. The team then cross-references this information with the types of protection reference on the companies’ web sites and starts a series of strategic attacks to gain entry to the networks using SQL injection, which exploits a vulnerability in the database layer. Once in, they place sniffers and malware on the network, capturing credit card data and sending it to servers in the US, the Netherlands and Ukraine. They communicate by IM, use proxy servers, and change their online identities frequently. Over the course of two years, they steal 130 million records, the majority of which is sold. What sounds like a hit summer movie is, in actuality, the detail outlined in an indictment released today in New York against the hackers who breached Heartland, among others.

If we look at this breach as a clever group of renegades, we are missing the point. These breaches show the value our financial data holds and how little control we ultimately have over it. Before we get dazzled by the locations, methods and number of credit cards hacked, we should ask why the data was not encrypted or did not have other protection mechanisms in place.

This type of defect is all too prevalent in the low quality IT systems in which we blindly give our trust. We can be sure that the biggest breach is yet to come!

Saturday, 15 August 2009

This week brought news of another successful breach at UC Berkeley, in which almost 500 records of applicants were stolen by hackers. This is the second such reported hack at UC Berkeley in less than five months, with the earlier hack exposing 160,000 records. These two attacks point to the attraction that universities hold for hackers. Every university requires personal data as part of the application process, and hackers know that these locations guarantee some amount of valuable data. Unlike financial services companies or many retailers, universities lack the most sophisticated data protection measures. They also do not have compliance standards for data housing, making them uniquely attractive to hackers.

The Open Security Foundation, a nonprofit that tracks data breaches, estimates more than 11 million records stored at US colleges and universities have been compromised. Many times, these breaches are not discovered until well after the data is lost. UC Berkeley, for example, found out about this current breach from an alleged hacker’s website.

We have entered a world in which personal data is always at risk from hackers who will grab and sell it for profit. Retailers and financial institutions have felt the pain of protection in this environment, and they have the latest technology as well as compliance measures for protection. What will universities do, since they do not have the same financial resources?The answer could come in part from compliance guidelines, with government and the private sector working together to suggest best practices and protection measures. Doing so should allow graduates to enter the post-university world with their data -- and credit reports -- uncompromised.

Friday, 7 August 2009

The risks of inappropriate data handling in health-care call-centers has been raised again in the press recently. It is clear that there needs to be some conduit for this sort of highly personal information as companies like insurers constantly need to utilize the information.

However, call-centers present a significant risk to data privacy. The bulk of the work in a call center is performed by low paid, low skilled telephone operatives in an industry where 30% annual turn over of staff is consider exceptionally low. One researcher suggests that in the banking sector in Scotland, the annual staff turnover is more like 80%. Worse still, police investigations have shown that call centers in some industries are routinely infiltrated by members of criminal gangs whose aims are to get copies of valuable data.

The original article acknowledges the insider and external threats, and states “Agents must have “easy to use” and reliable means to send and receive confidential…” information “ … inside the firewall, as well as outside.” We all know that “easy-to-use” systems and “secure-systems” rarely go together. With the low skills level and high staff turn over, my guess is that “easy” trumps “secure”. Perhaps we should associate "easy-to-use" with "easy-to-lose" (data).

Do you want your precious health-care record sneezed on and transmitted “un-healthily” around a call center?